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Description 

Technical Field 

The present invention relates to a technique for the 
protection of information on one or more fault-tolerant re- 
dundant information storage devices that permits detec- 
tion of which information is correct after associated one 
or more redundant device controllers write information 
into non-relative storage locations of the redundant stor- 
age device(s). 

Description of the Prior Art 

Fault-tolerant disk systems use redundancy, or du- 
plication, of data storage on mirrored disks to protect loss 
of data in case of equipment failure. Examples of such 
system are disclosed in the articles by G. Hendrie in 
Electronics, Vol. 56, No. 2, January 27, 1983, at pages 
103-105; and J. Kavanagh in Management Review 
(GB), September 1984 at pages 22-23. In the Hendrie 
article, a digital data recording and playback apparatus 
is disclosed which includes two data transmission chan- 
nels for recording in duplicate a stream of data bits on 
separate tracks of a magnetic tape, each recorded bit 
stream being potentially influenced by a pattern of sta- 
tistically distributed recording surface defects. During 
playback, error detection and correction circuitry for each 
channel provides an alarm signal synchronized with 
each uncorrected error condition in the corresponding 
stream of playback bits. A control circuit, responsive to 
the alarm signals from each channel, serves to interleave 
error-free bits from one channel to the exclusion of error 
bits from the other channel, to provide a single continu- 
ous steam of relatively error free bits corresponding to 
the recorded signal. In the Kavanagh article, a tandem 
computer system is discussed which comprises two or 
more processors connected together by a duplicate link 
so that the processors can share workloads and periph- 
erals and back each other up to produce a fault-tolerant 
computer system. 

Such duplication, however, only protects against the 
destruction of data when one of the redundant disk sys- 
tems fail, but does not protect the data when the redun- 
dant disk controllers write the data into different sections 
of the mirrored disks because of a problem with one of 
the disk controllers. With such error, it is almost impos- 
sible to tell which disk is correct without searching both 
disks in a time consuming operation. 

The problem remaining in the prior art is to provide 
a technique which: 

(1 ) will detect that information stored in a storage location 
is not the same as that information stored in a redundant 
storage location; and (2) can then easily determine which 
of the redundant storage locations contains the correct 
data. 



Summary of the Invention 

A method and system according to the invention are 
set out in claims 1 and 3 respectively. The invention re- 

5 lates to a technique for information protection on one or 
more fault-tolerant information storage devices, and for 
detecting which of the redundant stored information in 
related storage locations of the information storage de- 
vice^) is correct in a fast and simple manner when the 

10 information in both redundant storage locations is not the 
same. More particularly, as each section of information 
to be stored is received, a separate monotonically in- 
creasing number is added to each section of information 
just priortothat information being stored in the redundant 

15 storage locations. Therefore, when the information does 
not match during the subsequent accessing of the redun- 
dant storage locations on the redundant storage device 
(s), an error is determined to have occurred in the redun- 
dant storage location including the lower monotonically 

20 increasing number, since such information had to be 
stored prior in time to the information stored with the 
higher monotonically increasing number, and the correct 
information is in the redundant storage location contain- 
ing the higher monotonically increasing number. 

25 

Brief Description of the Drawing 

FIG. 1 is a block diagram of an exemplary process- 
ing section of an exemplary computer system for 
30 practicing the present invention; 

FIG. 2 is a diagram of an exemplary format of infor- 
mation to be stored in the mirrored disks of FIG. 1 ; 
FIG. 3 is an illustration of predetermined storage 
locations on disks A and B of FIG. 1 ; and 
35 Fig. 4 is an illustration of the predetermined storage 
locations of FIG. 2 after predetermined information 
has been stored therein and how a correct informa- 
tion entry can be determined. 

40 Detailed Description 

The following description of the preferred embodi- 
ment is directed to storage of data on redundant compu- 
ter disk units. However, it is to be understood that such 
45 description is not for limitation purposes and that the 
present invention can be applied to the storage of any 
form of information on redundant media or one or more 
storage devices, where a same storage device can be 
used to store the same information in two or more redun- 
so dant locations thereon. 

FIG. 1 is a block diagram of a pertinent portion of an 
exemplary processing section of a computing system 
which includes a Central Processing Unit (CPU) 1 0 com- 
prising a processor 11 , a Read Only Memory (ROM) 12 
55 for storing the main program for processor 1 1 , and a Ran- 
dom Access Memory (RAM) 13 which includes a 
scratchpad memory. Processor 11 is shown as including 
a Register 1 4, shown by dashed lines, which will be used 
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for exemplary purposes in hereinafter describing the 
present inventive fault tolerant technique. While only one 
CPU is shown, it is to be understood that CPU 10 can 
be duplicated and run in synchronism with the other CPU 
as is well known in the art for ensuring that an equipment 
failure in a CPU will not disable the entire computer sys- 
tem. However, for purposes of simplicity, the following 
description will be based on an exemplary computer sys- 
tem that has only one CPU 1 0. CPU 1 0 is shown as being 
connected to peripheral units by a bus 1 5, of which only 
a first disk controller 20, and a second disk controller 21 
are shown. Disk controllers 20 and 21 are redundant 
controllers that operate in concert with each other to nor- 
mally coordinate the write or read of data to or from a 
same relative storage location or sector on a first disk 22 
and a second disk 23, respectively, as is well known in 
the art. It is to be understood that when a single storage 
device or disk is used for fault-tolerant information pro- 
tection, the information would be stored in sequence in 
two "relative" or redundant storage locations on the 
same storage device or disk. Additionally, it is to be un- 
derstood that with mirrored disks the redundant storage 
locations on the disk can be: (1 ) the exact same storage 
location when perfectly mirrored; or (2) different, but "rel- 
ative" or offset, storage locations on the disks. As is also 
known in the art, when one of the redundant disk con- 
trollers 20 or 21 become disabled, the other disk control- 
ler can simultaneously or sequentially write data onto the 
first and second disks 22 and 23 to maintain the mirrored 
data, or just read from one or both of the disks, until the 
disabled controller is repaired. 

The term "mirrored disks" indicates that each of 
disks 22 and 23 normally stores the same data in the 
same relative storage location or sector of each disk for 
redundancy purposes. Fault-tolerant disk systems use 
redundancy of data storage to protect data in case of 
equipment failure. In addition, most fault-tolerant equip- 
ment vendors store the address, identifier, or number, of 
the sector in which the data is to be stored along with the 
actual data to be stored in that sector as a redundancy 
check, but this does not cover all possibilities for detect- 
ing errors of storage as will be shown in the following 
description. It will be assumed hereinafter that (a) the 
data address, or sector number, and (b) the actual data 
to be stored are encoded with a circular redundancy 
code, or any suitable error correcting code, before being 
sent by processor 11 over bus 15 to controllers 20 and 
21 . To enable the swift and easy detection of faulty data 
in a corresponding sector of one of disks 22 or 23, a mo- 
notonically increasing number is added to the sector ad- 
dress and data information before such sector address 
and data information is simultaneously or sequentially 
stored in mirrored disks 22 and 23 via controllers 20 and 
21 . A monotonically increasing number is defined herein 
as a sequence of numbers such that the n+1th number 
is always greater than the n th number. For example, the 
cardinal numbers 1,2,3, etc., can be denoted as a time 
and date number as,, for example, November 15,1989, 



at 2:00.00 p.m. which can be written as 8911151400.00 
and used as a monotonically increasing number, where 
the next monotonically increasing number in the se- 
quence might be 8911151400.01 for the next second of 

s time and used if information is to be stored during that 
second in time. Such monotonically increasing number 
may be added, for example, by processor 11 before 
transmitting the sector number and data over bus 15 to 
controllers 20 and 21. Processor 11 can, for example, 

10 obtain such monotonically increasing numberfrom a reg- 
ister 14 which is incremented with every data transmis- 
sion being sent to controllers 20 and 21 for simultaneous 
storage in mirrored disks 22 and 23 or by any other suit- 
able means. 

15 FIG. 2 illustrates an exemplary arrangement of a 
packet of data that is stored in duplicate by controllers 
20 and 21 on mirrored disks 22 and 23. The format used 
for such packet of data includes a disk sector number 
section 30 including a predetermined number of K bits 

20 indicating the sector address or relative storage location 
identifier in which the data is to be stored; a section 31 
comprising a predetermined number of L bits for use in- 
dicating the monotonically increasing number; and a 
section 32 comprising a predetermined number of M bits 

25 for sending the actual data bits. It is to be understood 
that the format shown is only for purposes of explanation 
and not for purposes of limitation in that any other suita- 
ble arrangement of such sections would fall within the 
spirit and scope of the present invention. However, the 

30 format shown in FIG. 2 will be assumed for the transmis- 
sion and storage of data in the discussion which follows. 

FIG. 3 illustrates five exemplary disk sectors, num- 
bered 1 -5, on each of disks 22 and 23 which are originally 
assumed empty. In a first illustrative step, data designat- 
es ed D1 is generated or obtained from a peripheral device 
by processor 11 for storage in mirrored disks 22 and 23. 
Processor 11 determines that data D1 is to be stored in 
sector 2; adds the sector number "2" in section 30 of the 
packet; obtains and adds the next monotonically increas- 

40 jng number, here determined as number 100, in section 
31 of the packet; adds data D1 into section 32 of the data 
packet; ad then transmits the packet over bus 1 5 to con- 
trollers 20 and 21. Controllers 20 and 21 receive this 
packet, use the sector address from section 30 of the 

45 data packet to access sector 2 in each of mirrored disks 
22 and 23, and store the data packet therein. As shown 
in FIG. 3, at the conclusion of this step, when no error 
has taken place, sector 2 of each of disks 22 and 23 is 
found to store the sector number (2), the monotonically 

50 increasing number (1 00) and the data (D1 ) found in the 
received data packet. For an exemplary next step, it will 
be assumed that processor 11 receives second data D2 
that it determines should be stored in sector 3 of mirrored 
disks 22 and 23. Therefore, processor 1 1 adds the sector 

55 number 3 in section 30 of the data packet; the next mo- 
notonically increasing number 101 in section 31 of the 
data packet; the data D2 in section 32 of the data packet; 
and transmits such data-packet to controllers 20 and 21 
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via bus 15. With no writing error, controllers 20 and 21 
will write such data packet information into sector 3 of 
each of mirrored disks 22 and 23, as shown in FIG. 3. 

FIG. 4 illustrates the case of a writing error by one 
of controllers 20 and 21 at a period of time after the above 
two steps, shown in FIG. 3, have been completed. For 
example, it will be assumed that processor 11 receives 
or generates data designated D3 that it determines 
should be stored in sector 3 of mirrored disks 22 and 23. 
Therefore, processor 11 forms the data packet with the 
designated sector number (3) placed in section 30 of the 
packet; the next monotonically increasing number, e.g., 
1 1 3, placed in section 31 of the data packet; the data D3 
in section 32 of the data packet; and transmits such data 
packet to controllers 20 and 21 via bus 15. It is now as- 
sumed that controller 20 correctly stores this data packet 
in sector 3 of disk 22, thereby overwriting the previously 
stored D2 data packet, while controller 21 erroneously 
write this data packet into sector 2 of disk 23, thereby 
overwriting the previously stored D1 data packet. 

When processor 11 thereafter determines that the 
data in sector 2 is to be read, it sends a "read" instruction 
to controllers 20 and 21 which access sector 2 on mir- 
rored disks 22 and 23, respectively, and initially, for ex- 
ample, compare the data sections 32 to fnd that the D1 
and D3 data do not match and determine that an error 
has occurred. Had no error in the data matching oc- 
curred, one of the controllers 20 and 21 would have then 
sent the data to processor 1 1 . However, once such error 
has been found, controllers 20 and 21 would then com- 
pare the sector address stored in sector 2 of disks 22 
and 23. In accordance with the example shown in FIG. 
4, controller 20 would determine that the sector address 
in sector 2 of disk 22 is correct, and controller 21 would 
find that the sector address in sector 2 of disk 23 was 
incorrect, thereby indicating that the data packet stored 
in sector 2 of disk 22 was the correct data. In practice, 
having made such determination of an error in sector 2 
of disk 23, either controller 20 or 21 could overwrite sec- 
tor 2 of disk 23 with the packet of data presently stored 
in sector 2 of disk 22 so that both disks now match in 
sector 2 or some other appropriate error-recovery pro- 
cedure. 

When processor 11 thereafter determines that the 
data in sector 3 is to be read, controllers 20 and 21 re- 
ceive the "read" instruction from processor 11 and ac- 
cess sector 3 on mirrored disks 22 and 23, respectively. 
When controllers 20 and 21 first compare the data sec- 
tions 32 in both stored data packets, they will find that 
the D3 and D2 data do not match. Controllers 20 and 21 
then compare the sector address stored in packet sec- 
tion 30 in sector 3 of both disks 22 and 23 and find that 
they match. In accordance with the prior art, this is as far 
as the error detection could proceed since, at most, only 
the sector address in section 30 and the data in section 
32 were stored. Therefore, with prior art systems it would 
be impossible to tell which of the mirrored disks 22 and 
23 carried the correct data in sector 3 without performing 



an interrupt of the computer system and doing a search 
of both disks 22 and 23 in a time consuming operation. 
However, in accordance with the present invention, con- 
trollers 20 and 21 can easily determine which of the two 

s data packets stored in sector 3 of disks 22 and 23 is the 
correct data by next comparing the monotonically in- 
creasing number stored in section 31 of the data packet 
in sector 3 of disks 22 and 23. When performing this func- 
tion, it can be seen from FIG. 4 that the data packet in 

10 sector 3 of disk 22 has the correct data, since its monot- 
onically increasing number is 1 1 3 while the monotonical- 
ly increasing number stored in sector 3 of disk 23 is only 
101, where the higher number indicates a most recent 
writing of a data packet into a disk sector while the lower 

15 number concurrently indicates that the data packet con- 
tains old and unwanted data. It is to be understood that 
the function of controllers 20 and 21 performing the com- 
parisons is for purposes of illustration and not for pur- 
poses of limitation, and that such comparisons could be 

20 performed by any device or medium within the system 
as, for example, processors 11 and still be within the 
scope of the present invention. 

In conclusion, a preferred sequence for reading data 
from corresponding sectors of mirrored disks wouldbeto 

25 first compare the data in section 32 of the corresponding 
sectors to see if the data in those sectors matched, and 
to send the data to processor 11 if the data matched. If 
the data in the corresponding sectors did not match, then 
the stored sector address numbers in section 30 of the 

30 stored data packets would be compared, and if they did 
not match, then the data in the packet with the correct 
sector address number would be sent to processor 11 . 
However, if the sector addresses matched, then the mo- 
notonically increasing number stored in section 31 of the 

55 stored data packets would be compared and the data 
packet with the higher number would be sent to proces- 
sor 11 since this is the most recent data to be stored in 
that sector. It is to be understood that these steps could 
be performed in a different sequence and still provide the 

40 ultimate result described above, and thereby still fall 
within the scope of the present invention. 



Claims 

45 

1 . A method of operating at least first and second fault 
tolerant redundant information storage devices, 
where each information packet stored on the redun- 
dant information storage devices includes a first sec- 

50 tion comprising a storage location identifier on an 
information storage device where the information 
packet is to be stored, a second section comprising 
information to be stored in the storage location iden- 
tifier indicated in the first section, and a third section 

55 including a number which is a separate monotoni- 
cally increasing number that is applied to each 
sequential packet that is stored on the redundant 
information storage devices and the method 
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includes reading information comprising the steps 
of: 

(a) comparing the information in the second 
section of each stored information packet and s 
transmitting the information from one of the 
compared information packets to a requesting 
end user device when the information compar- 
ison determines that the information in the rela- 
tive storage locations match, to 

(b) comparing the storage location identifiers in 
each first section of the stored information 
packet in each of the accessed storage loca- 
tions of the redundant information storage 
devices when the information in the compared is 
storage locations in step (a) does not match, 
and transmitting the information from the com- 
pared information packets including a correct 
storage location identifier to the requesting end 
user device when the compared storage loca- 20 
tion identifiers do not match; and 

(c) comparing the number stored in the third 
section of the information packets compared in 
steps (a) and (b) when both the information 
comparison in step (a) is found not to match, 25 
and the storage location identifiers in step (b) 

are found to match, and transmitting the infor- 
mation from the information packet found to 
have the highest number in the third section of 
the compared information packets. 30 

2. A method as claimed in claim 1 including storing 
information comprising the steps of: 

(d) transmitting information packets in 35 
sequence to at least first and second redundant 
storage device controllers for the concurrent 
storage of each packet in a predetermined cor- 
responding storage location of the at least first 
and second redundant information storage 40 
devices, each sequential information packet 
comprising (i) a storage location identifier dis- 
posed in a first section of the information packet 
indicating the destined storage location on the 

at least first and second redundant information 45 
storage devices for the information packet, (ii) 
information disposed in a second section of the 
information packet for storage in the storage 
location designated in the first section, and (iii) 
a unique number disposed in a third section of so 
the information packet which is a separate 
monotonically increasing number provided to 
each sequential packet that is transmitted to the 
storage device controllers; and 

(e) the redundant storage device controllers 55 
using the storage location identifier in the first 
section of each received information packet for 
accessing a storage location in each of the 



redundant information storage devices, and 
storing the information packet, including the 
first, second, and third sections, in the accessed 
storage locations of the redundant information 
storage devices. 

3. A fault-tolerant system comprising: 

at least first and second redundant information 
storage devices, each device including a plural- 
ity of storage locations for storing separate 
packets of information; and 
at least first and second information device con- 
trollers arranged to perform corresponding 
operations, 

each information device controller comprising, 
means for accessing a separate one of the at 
least first and second redundant information 
storage devices when none of the storage 
devices or controllers are disabled, for writing 
an information packet into a predetermined stor- 
age location of the accessed storage device, 
each information packet including (i) a first sec- 
tion comprising a storage location identifier cor- 
responding to the storage location on the redun- 
dant information storage device where the infor- 
mation packet is to be stored, (ii) a second sec- 
tion comprising the information to be stored in 
the storage location indicated by the first sec- 
tion, and (iii) a third section comprising a 
number which is a separate monotonically 
increasing number that is applied to each 
sequential packet being stored on the one or 
more redundant information storage devices, 
wherein each of the accessing means is also 
arranged for reading an information packet from 
a predetermined storage location of the 
accessed storage device; and 
comparison means, responsive to the access- 
ing means reading an information packet from 
a predetermined storage location on the asso- 
ciated storage device, for (i) comparing the 
information stored in the second section of the 
accessed information packet with information 
stored in the second section of accessed infor- 
mation packets of corresponding storage loca- 
tions of the other storage devices, for determin- 
ing if the information from the corresponding 
accessed storage locations match, and trans- 
mitting such information to a requesting end 
user device when the information is found to 
match to end the packet reading step, (ii) com- 
paring the storage location identifier in the first 
section of the accessed information packet with 
the storage location identifier in the first section 
of accessed information packets from corre- 
sponding storage locations of the other 
accessed ones of the storage devices, when the 



5 



9 



EP 0 430 482 B1 



10 



accessing means has determined that the infor- 
mation from accessed corresponding storage 
locations of the accessed storage devices does 
not match, and transmitting the information 
stored in the information packet including the 
correct storage location identifier to the end user 
device when the compared storage location 
identifiers do not match to end the packet read- 
ing step, and (iii) comparing the number in the 
third section of the accessed information packet 
with the number in the third section of each of 
the corresponding storage locations in the other 
accessed storage locations when (a) an infor- 
mation match has not been found and (b) the 
storage location identifiers have been found to 
match, for transmitting the information from the 
compared information packet including the 
highest number in the third section to the end 
user device to conclude the packet reading 
step. 

Patentanspriiche 

1. Veriahren zum Betreiben mindestens erster und 
zweiter fehlertoleranter redundanter Informations- 
speichervorrichtungen, wobei 

jedes in den redundanten Informationsapei- 
chervorrichtungen gespeicherte Informationspaket 
einen ersten Teil mit einer Speicherstellenkennung 
in einer Informationsspeichervorrichtung, wo das 
Informationspaket zu speichern ist, einen zweiten 
Teil mit in der im ersten Teil angezeigten Speicherst- 
ellenkennung zu speichernden Informationen und 
einen dritten Teil mit einer Nummer, die eine 
getrennte monoton steigende Nummer ist, die an 
jedes sequentielle Paket angelegt wird, das in den 
redundanten I nformationapeichervorrichtungen 
gespeichert wird, enthalt, und das Verfahren das 
Lesen von Informationen mit folgenden Schritten 
umfafBt: 

(a) Vergleichen der Informationen im zweiten 
Teil jedes gespeicherten Informationspakets 
und Ubertragen der Informationen aus einem 
der verglichenen Informationspakete zu einer 
anfordernden Endbenutzervorrichtung, wenn 
durch den Informationsvergleich bestimmt wird, 
daB die Informationen an den relativen Spei- 
cherstellen ubereinstimmen, 

(b) Vergleichen der Speicherstellenkennungen 
in jedem ersten Teil des gespeicherten Informa- 
tionspakets an jeder der erreichten Speicherst- 
ellen der redundanten Informationsspeicher- 
vorrichtungen, wenn die Informationen an den 
verglichenen Speicherstellen im Schritt (a) nicht 
ubereinstimmen, und Ubertragen der Informa- 
tionen aus den verglichenen Informationspake- 



ten einschlieftlich einer richtigen Speicherstel- 
lenkennung zur anfordernden Endbenutzervor- 
richtung , wenn die verglichenen Speicherstel- 
lenkennungen nicht ubereinstimmen; und 
5 (c) Vergleichen der im dritten Teil der in Schrit- 

ten (a) und (b) verglichenen Informationspakete 
gespeicherten Nummer, wenn sich sowohl her- 
ausstellt, daR der Informationsvergleich im 
Schritt (a) keine Ubereinstimmung ergibt, als 
10 auch herausstellt, daG die Speicherstellenken- 

nungen im Schritt (b) ubereinstimmen, und 
Ubertragen der Informationen aus dem Infor- 
mationspaket, von dem sich herausgestellt hat, 
da3 es die hochste Nummer im dritten Teil der 
15 verglichenen Informationspakete aufweist. 

2. Verfahren nach Anspruch 1 einschlieGlich der Spei- 
cherung von Informationen, mit folgenden Schritten: 

20 (d) Ubertragen von Informationspaketen der 

Reihe nach zu mindestens ersten und zweiten 
redundanten Speichervorrichtungssteuerun- 
gen fur die gleichzeitige Speicherung jedes 
Pakets an einer vorbestimmten entsprechen- 
25 den Speicherstelle der mindestens ersten und 

zweiten redundanten Informationsspeichervor- 
richtungen, wobei jedes sequentielle Informati- 
onspakets (i) eine in einem ersten Teil des Infor- 
mationspakets angeordnete Speicherstellen- 
30 kennung, die die zielspeicherstelle in den min- 

destens ersten und zweiten redundanten Infor- 
mations-speichervorrichtungen fur das Infor- 
mationspaket anzeigt, (ii) in einem zweiten Teil 
des Informationspaket angeordnete Informatio- 
ns nen zur Speicherung an der im ersten Teil 
bezeichneten Speicherstelle, und (iii) eine in 
einem dritten Teil des Informationspakets ange- 
ordnete einmalige Nummer, die eine getrennte 
monoton steigende Nummer ist umfaBt, die fur 
40 jedes sequentielle Paket bereitgestellt wird, das 
zu den Speichervorrichtungssteuerungen uber- 
tragen wird umfaRt; und 
(e) Benutzen der Speicherstellenkennung im 
ersten Teil jedes empfangenen Informationspa- 
45 kets durch die redundanten Speichervorrich- 
tungssteuerungen zum Zugreifen auf eine Spei- 
cherstelle in jeder der redundanten Informati- 
onsspeichervorrichtungen, und Speichern des 
Informationspakets einschlieGlich der ersten, 
50 zweiten und dritten Teile an den erreichten Spei- 
cherstellen der redundanten Informationsspei- 
chervorrichtungen. 

3. Fehlertolerantes System mit folgenden: 

55 

mindestens ersten und zweiten redundanten 
Informationsspeichervorrichtungen, die jeweils 
eine Mehrzahl von Speicherstellen zur Speiche- 
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rung getrennter Informationspakete enthalten; 
und 

mindestens ersten und zweiten Informations- 
vorrichtungssteuerungen zur Durchfuhrung 
entsprechender Operationen, wobei jede Infor- 5 
mationsvorrichtungssteuerung folgendes 
umfaGt: 

Mittel zum Zugreifen auf eine getrennte der min- 
destens ersten und zweiten redundanten Infor- 
mations-speichervorrichtungen, wenn keine to 
der Speichervorrichtungen oder Steuerungen 
gesperrt sind, zum Einschreiben eines Informa- 
tionspakets in eine vorbestimmte Speicherst- 
elle der erreichten Speichervorrichtung, wobei 
jedes Informationspaket (i) einen ersten Teil mit is 
einer Speicherstellenkennung, die der Spei- 
cherstelle in der redundanten Informati- 
ons-speichervorrichtung entspricht, wo das 
Informationspaket zu speichern ist, (ii) einen 
zweiten Teil mit den an der vom ersten Teil 20 
angezeigten Speicherstelle zu speichernden 
Informationen, und (iii) einen dritten Teil mit 
einer Nummer, die eine getrennte monoton stei- 
gende Nummer ist, die an jedes in der einen 
oder in mehreren redundanten Informations- 25 
speichervorrichtungen gespeicherte sequenti- 
elle Paket angelegt wird, umfaGt, wobei jedes 
der Zugriffsmittel auch zum Auslesen eines 
Informationspakets aus einer vorbestimmten 
Speicherstelle der erreichten Speichervorrich- 30 
tung angeordnet ist; und 
auf die Zugriffsmittel, die ein Informationspaket 
aus einer vorbestimmten Speicherstelle in der 
zugehorigen Speichervorrichtung auslesen, 
reagierende Vergleichsmittel zum (i) Verglei- 35 
chen der im zweiten Teil des erreichten Informa- 
tionspakets gespeicherten Informationen mit im 
zweiten Teil von erreichten Informationspake- 
ten an entsprechenden Speicherstellen der 
anderen Speichervorrichtungen gespeicherten 40 
Informationen zum Bestimmen, ob die Informa- 
tionen von den entsprechenden erreichten 
Speicherstellen ubereinstimmen, und zum 
Ubertragen dieser Informationen zu einer anfor- 
dernden Endbenutzervorrichtung, wenn sich 45 
herausstellt, daB die Informationen uberein- 
stimmen, den Paketleseschritt zu beenden, (ii) 
Vergleichen der Speicherstellenkennung im 
ersten Teil des erreichten Informationspakets 
mit der Speicherstellenkennung im ersten Teil so 
erreichter Informationspakete aus entspre- 
chenden Speicherstellen der anderen erreich- 
ten der Speichervorrichtungen, wenn die 
Zugriffsmittel bestimmt haben, daG die Informa- 
tionen aus erreichten entsprechenden Spei- 55 
cherstellen der erreichten Speichervorrichtun- 
gen nicht ubereinstimmen, und Ubertragen der 
im Informationspaket gespeicherten Informatio- 



nen einschlieGlich der richtigen Speicherstel- 
lenkennung zur Endbenutzervorrichtung, wenn 
die verglichenen Speicherstellenkennungen 
nicht ubereinstimmen, urn den Paketleseschritt 
zu beenden, und (iii) Vergleichen der Nummer 
im dritten Teil des erreichten Informationspa- 
kets mit der Nummer im dritten Teil jeder der 
entsprechenden Speicherstellen an den ande- 
ren erreichten Speicherstellen, wenn (a) keine 
Informationsubereinstimmung gefunden wor- 
den ist und (b) sich herausgestellt hat, daG die 
Speicherstellenkennungen ubereinstimmen, 
zum Ubertragen der Informationen aus dem 
verglichenen Informationspaket einschlieGlich 
der hochsten Nummer im dritten Teil zur End- 
benutzervorrichtung, urn den Paketleseschritt 
zu beenden. 



Revendi cat ions 

1 . Un procede pour faire fonctionner au moins des pre- 
mier et second dispositifs d'enregistrement d'infor- 
mation redondants et tolerant des defauts, dans 
lequel 

chaque paquet d'information qui est enregistre 
dans les dispositifs d'enregistrement d'information 
redondants comprend une premiere section consis- 
tant en un identificateur de position d'enregistre- 
ment sur un dispositif d'enregistrement d'informa- 
tion dans lequel le paquet d'information doit etre 
enregistre, une seconde section consistant en une 
information a enregistrer dans I'identificateur de 
position d'enregistrement qui est indique dans la 
premiere section, et une troisieme section compre- 
nant un nombre qui est un nombre separe, augmen- 
tant de facon monotone, qui est applique a chaque 
paquet sequentiel qui est enregistre dans les dispo- 
sitifs d'enregistrement d'information redondants, et 
le procede comprend la lecture d'information, avec 
les etapes suivantes : 

(a) on compare I'information dans la seconde 
section de chaque paquet d'information enre- 
gistre et on emet I'information a partir de I'un des 
paquets d'information compares vers un dispo- 
sitif utilisateur final demandeur, lorsque la com- 
paraison d'information determine que les infor- 
mations dans les positions d'enregistrement 
relatives concordent, 

(b) on compare les identificateurs de position 
d'enregistrement dans chaque premiere sec- 
tion du paquet d'information enregistre dans 
chacune des positions d'enregistrement aux- 
quelles on accede dans les dispositifs d'enre- 
gistrement d'information redondants, lorsque 
I'information dans les positions d'enregistre- 
ment comparees a I'etape (a) ne concorde pas, 
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et on emet I'information a partir des paquets 
d'information compares contenant un identifica- 
teur de position d'enregistrement correct, vers 
le dispositif utilisateur final demandeur, lorsque 
les identificateurs de position d'enregistrement s 
compares ne concordent pas; et 

(c) on compare le nombre enregistre dans la 
troisieme section des paquets d'information qui 
sont compares aux etapes (a) et (b) lorsque, a 

la fois, la comparaison d'information a I'etape to 
(a) indique I'absence de concordance, et les 
identificateurs de position d'enregistrement a 
I'etape (b) sont trouves en concordance, et on 
emet I'information a partir du paquet d'informa- 
tion pour lequel on a trouve le nombre le plus is 
eleve dans la troisieme section des paquets 
d'information qui sont compares. 

2. Un procede selon la revendication 1 , comprenant 
I'enregistrement d'information avec les etapes 20 
suivantes : 

(d) on emet sequentiellement des paquets 
d'information vers au moins des premiere et 
seconde unites de commande de dispositifs 25 
d'enregistrement redondants, pour I'enregistre- 
ment simultane de chaque paquet dans une 
position d'enregistrement correspondante pre- 
determinee des premier et second dispositifs 
d'enregistrement d'information redondants, au 30 
moins, chaque paquet d'information sequentiel 
comprenant (i) un identificateur de position 
d'enregistrement place dans une premiere sec- 
tion du paquet d'information, indiquant la posi- 
tion d'enregistrement de destination sur les pre- 35 
mier et second dispositifs d'enregistrement 
d'information redondants, au moins, pour le 
paquet d'information, (ii) une information placee 
dans une section section du paquet d'informa- 
tion, destinee a etre enregistree dans la position 40 
d'enregistrement qui est designee dans la pre- 
miere section, et (iii) un nombre particulier place 
dans une troisieme section du paquet d'infor- 
mation, qui est un nombre distinct, augmentant 

de facon monotone, qui est alloue a chaque 45 
paquet sequentiel qui est emis vers les unites 
de commande de dispositifs d'enregistrement; 
et 

(e) les unites de commande de dispositifs 
d'enregistrement redondantes utilisant I'identifi- so 
cateur de position d'enregistrement dans la pre- 
miere section de chaque paquet d'information 
recu pour acceder a une position d'enregistre- 
ment dans chacun des dispositifs d'enregistre- 
ment d'information redondants, et enregistrant 55 
le paquet d'information, comprenant les pre- 
miere, seconde et troisieme sections, dans les 
positions d'enregistrement sur lesquelles porte 



I'acces, des dispositifs d'enregistrement d'infor- 
mation redondants. 

3. Un systeme tolerant des defauts, comprenant : 

au moins des premier et second dispositifs 
d'enregistrement d'information redondants, 
chaque dispositif comprenant un ensemble de 
positions d'enregistrement pour enregistrer des 
paquets d'information separes; et 
au moins des premiere et seconde unites de 
commande de dispositif d'information congues 
pour effectuer des operations correspondantes, 
chaque unite de commande de dispositif d'infor- 
mation comprenant, 

des moyens pour acceder a un dispositif separe 
parmi les dits au moins premier et second dis- 
positifs d'enregistrement d'information redon- 
dants lorsque aucun des dispositifs d'enregis- 
trement ni aucune des unites de commande 
n'est invalide, pour ecrire un paquet d'informa- 
tion dans une position d'enregistrement prede- 
termined du dispositif d'enregistrement sur 
lequel porte I'acces, chaque paquet d'informa- 
tion comprenant (i) une premiere section con- 
sistant en un identificateur de position d'enre- 
gistrement correspondant a la position d'enre- 
gistrement, sur le dispositif d'enregistrement 
d'information redondant, a laquelle le paquet 
d'information doit etre enregistre, (ii) une sec- 
tion section constitute par I'information a enre- 
gistrer dans la position d'enregistrement qui est 
indiquee par la premiere section, et (iii) une troi- 
sieme section consistant en un nombre qui est 
un nombre separe, augmentant de facon mono- 
tone, qui est applique a chaque paquet sequen- 
tiel qui est enregistre dans le ou les dispositifs 
d'enregistrement d'information redondants, 
chacun des moyens d'acces etant egalement 
concu pour lire un paquet d'information dans 
une position d'enregistrement predeterminee 
du dispositif d'enregistrement sur lequel porte 
I'acces; et 

des moyens de comparaison, reagissant a la 
lecture par les moyens d'acces d'un paquet 
d'information se trouvant a une position d'enre- 
gistrement predeterminee sur le dispositif 
d'enregistrement associe, (i) en comparant 
I'information enregistree dans la seconde sec- 
tion du paquet d'information qui fait I'objet d'une 
operation d'acces, avec une information enre- 
gistree dans la seconde section de paquet 
d'information faisant I'objet d'une operation 
d'acces, dans des positions d'enregistrement 
correspondantes des autres dispositifs d'enre- 
gistrement, pour determiner si I'information pro- 
venant des positions d'enregistrement corres- 
pondantes faisant I'objet d'operations d'acces 
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concorde, et en emettant cette information vers 
un dispositif utilisateur final demandeur lorsque 
I' information est trouvee en concordance, pour 
mettre fin a I'etape de lecture de paquet, (ii) en 
comparant I'identificateur de position d'enregis- 5 
trement dans la premiere section du paquet 
d'information faisant I'objet d'une operation 
d'acces, avec I'identificateur de position d'enre- 
gistrement dans la premiere section de paquets 
d'information faisant I'objet d'une operation to 
d'acces, dans des positions d'enregistrement 
correspondantes des autres dispositifs d'enre- 
gistrement faisant I'objet d'operations d'acces, 
lorsque les moyens d'acces ont determine que 
I'information provenant de positions d'enregis- is 
trement correspondantes faisant I'objet d'ope- 
rations d'acces, dans les dispositifs d'enregis- 
trement faisant I'objet d'operation d'acces, ne 
concorde pas, et en emettant vers le dispositif 
utilisateur final I'information enregistree dans le 20 
paquet d'information qui contient I'identificateur 
de position d'enregistrement correct, lorsque 
les identificateurs de position d'enregistrement 
qui sont compares ne concordent pas, pour 
mettre fin a I'etape de lecture de paquet, et (iii) 25 
en comparant le nombre dans la troisieme sec- 
tion du paquet d'information faisant I'objet d'une 
operation d'acces avec le nombre dans la troi- 
sieme section de chacune des positions d'enre- 
gistrement correspondantes dans les autres 30 
positions d'enregistrement faisant I'objet d'ope- 
rations d'acces, lorsque (a) une concordance 
d'information n'a pas ete trouvee, et (b) les iden- 
tificateurs de position d'enregistrement ont ete 
trouves en concordance, pour emettre vers le 35 
dispositif utilisateur final I'information provenant 
du paquet d'information compare qui contient le 
nombre le plus eleve dans la troisieme section, 
pour mettre fin a I'etape de lecture de paquet. 
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